Docker Security Hardening | Firewall Flamingos

Run as Non-Root

RUN addgroup -S app && adduser -S app -G app
USER app

docker run --read-only --tmpfs /tmp myimage

docker run --cap-drop ALL --cap-add NET_BIND_SERVICE myimage

docker run --memory 256m --cpus 0.5 --pids-limit 100 myimage

docker network create --internal isolated_net
docker run --network isolated_net myimage

# Scan image for vulnerabilities
docker scout cves myimage:latest

# Scan with Trivy
trivy image myimage:latest

Never bake secrets into images. Use Docker secrets or mount them at runtime:

docker run --secret id=db_pass,src=./db_password.txt myimage

Enable daemon-level audit logging:

{
  "log-driver": "json-file",
  "log-opts": {
    "max-size": "10m",
    "max-file": "3"
  }
}